Spyderbat
Book a DemoStart FreeContact Us
  • Spyderbat Product Docs
  • Getting Started
    • Create an Organization
    • Install the Nano Agent
    • Three Things to Try with Spyderbat Community Edition
    • Manage Users and Roles
  • Installation
    • Spyderbat Nano Agent
      • Kubernetes
        • Pre Deployment Environment Data Collection Script
      • Linux Standalone
      • AWS Unattended Install
        • Secure your Registration Code with AWS Secrets Manager
      • Create a Golden Image with the Nano Agent Pre-Installed
    • Spyderbat AWS Agent
      • AWS Linux VM
      • Kubernetes
      • Configuration Guide - AWS Linux VM
      • Configuration Guide - Kubernetes
    • Install Spyctl CLI
      • Initial Configuration
    • Install Spydertop CLI
    • Install the Spyderbat Event Forwarder
      • Helm Chart
      • Traditional Installer
  • Concepts
    • Guardian & Interceptor
      • Ruleset Policies
      • Workload Policies
    • Flashback (Go Back In Time)
      • Investigations
    • Search
      • Saved Searches
    • Summarize
      • Spydertrace Summarize
    • Dashboards
      • Dashboard Categories
    • Reports
    • Notifications
      • Notification Targets
      • Notification Templates
    • Actions
    • Integrations
      • AWS Integration
      • Spyderbat Event Forwarder
    • Suppression & Tuning
    • Scout (Detections)
      • Custom Flags
  • Tutorials
    • Flashback
      • How to Use the Investigations Feature in Spyderbat
    • Guardian
      • How to Lock Down Your Workloads With Guardian Policies Using Spyctl
      • How to Put Guardrails Around Your K8s Clusters Using Spyctl
    • Integrations
      • How to Configure Event Forwarder Webhook for Panther
      • How to Set Up Spyderbat to Ingest Falco Alerts
      • How to Create and Use a Spyderbat API Key
    • Notifications
      • How to Set Up Notifications Using Spyctl
      • How to Set up Agent-Health Notifications Using Spyctl
    • Dashboards
    • Miscellaneous
      • How to Set Up Spyderbat to Monitor Systems From vulnhub.com
    • Scout (Detections)
      • How to Set Up Custom Flags Using Spyctl CLI
  • Reference
    • Policies
      • Response Actions
    • Rulesets
    • Selectors
    • Notifications
    • Spyctl CLI
      • Spyctl Commands
      • Guardian Policy Management using Spyctl
      • Notification Template Management using Spyctl
      • Notification Target Management using Spyctl
    • Search
      • All Operators
      • All Fields
      • All Related Objects
  • Quick Links
    • Contact Us
    • Try Spyderbat for Free
    • Book a Demo
Powered by GitBook

© SPYDERBAT, Inc., All Rights Reserved

On this page

Was this helpful?

Export as PDF
  1. Tutorials
  2. Flashback

How to Use the Investigations Feature in Spyderbat

Quick look at the causal graph in the process investigation section of the Spyderbat console, tips on how to add and remove data from the causal graph view and how to share Investigation permalinks.

Last updated 1 year ago

Was this helpful?

Published: August 20, 2021

Any Record in Spyderbat investigated from a Search or Dashboard card can be viewed in the context of it’s Causal Tree. From within the section, click on the ‘star‘ to the right of any Record in the Records table.

On the top of the Causal Tree, there are a number of options.

  • Clear the Causal Tree by clicking the trash can.

  • Use undo/redo actions actions to undo/redo actions performed in the Causal Tree (e.g. adding or removing nodes).

  • The next icon auto-focuses the view,

  • The magnifying glass icons zoom in or out of the Causal Tree, the same as using the scroll wheel on your mouse.

  • The “save to datalayer” button is extremely useful – it allows you to save whatever is displayed on the graph as its own datalayer or subset of records.

Enabling only that data layer (by disabling any others) allows you to explore only that data set in the Causal Tree and Records table. This can be used to view every process (or command that was executed) in both the tree and in a tabular format without any extraneous data. In addition, by focusing on only a Data Layer saved from the Causal Tree:

  • Use the “Previous Node” and “Next Node” buttons located at the bottom of the Causal Tree to cycle through the tree chronologically

  • Use the “Copy Investigate Link” button to share a very focused set of activity or the story of an attack with a colleague or for future reference.

A left-click selects a node. This displays more information about the node in the Details panel. It also highlights relevant records in the Records table tab.

Right-clicking a node is very useful for both removing and adding additional items to the Causal Tree.

Removing nodes:

  • Selecting “remove self” is a handy way to remove a node and any dependent nodes, for example If by removing a bash process we remove all the child processes under bash.

  • Selecting “auto prune” removes all nodes that do not have a Flag or directly causally connected to a node with a Flag.

Adding nodes:

  • Children are directly connected to the selected node.

  • Descendants are every following node causally connected to the selected node.

  • Connections are any Network connections with a causal relationship to children or descendants.

The Causal Tree only displays records captured in the enabled Data Layers. What if there is activity outside the original query time frames of those Data Layers?

Loading Children or Descendants:

  • Selecting to load Children or Descendants via Search performs a search for other activity across all time known to Spyderbat and bring any activity we find in as another Data Layer

Lastly, we want to show you a powerful option for the Causal Tree under the options drop-down. Selecting “show relative time” displays a relative time on the Causal Tree for any selected node. For example, in the above screenshot the bash shell node is selected. We can see the relative time of when commands were performed in the bash shell. This is tremendously useful when viewing traces that span across time to visually understand the temporal distance between activities. In the above example, it is clear that the “whoami” command occurred 11 minutes after the previous commands.

Thank you and Happy Tracing!

Investigation
Top of Causal Tree
Right clicking a node in a Causal Tree
Causal Tree
Loading Children or Descendants